How to create a certificate template for un-trusted agents Operation Manager.

Posted: February 28, 2010 in Uncategorized

In Operations Manager 2007 you can monitor hosts that are in a other domain or maybe in a DMZ. For this to be able to work you’ll need to create a certificate. If your working with a Operations Manager Gateway you’ll also be needing this.
The reason you need this certificate is that the Root Management Server (RMS) need to trust the agent installed on the host, and vice versa. The certificate will be used for the authentication of the agents, the Health service to be more specific. Creating these certificates is quiet easy if you have a certificate template so I’ll try to explain in this blog how you can create a certificate template for Operations Manager. Note that this will only work if your Certificate Authority is a Enterprise Root CA, this will not work with a Standalone Root CA.

First thing you need to know is, do I have a certificate authority in the network. If your implementing a SCOM in a unknown environment a quick way to check if there is a CA is to check in Active Directory. Open Active Directory Users and Computers and search for the group Cert Publishers, which is a built-in AD group. Be checking the members in this group you’ll be able to see which servers have the certificate authority installed. If the Cert Publishers group is not in AD, there hasn’t been a CA installed yet 🙂

Once connected to the server that has the CA role, start the Certification Authority console which should be found in the Administrative Tools menu. In the console go to Certificate Templates folder, right click on it and choose Manage and the Certificate Templates Console will be launched. In this console you can see all if the existing certificate template that already exist in your environment.

Note: There is a difference if the CA role is installed on the Standard or Enterprise edition of the Windows OS. The Enterprise edition has much more certificate templates out of the box.

In the middle pane of the Certificate Template console you need to look for the certificate template called Computer. Once found right click on it and select Duplicate Template. If your CA is installed on a Windows Server 2008 you’ll get this window:


Select Windows Server 2003 Enterprise. If you would select Windows Server 2008 Enterprise you could bump into the issue that you won’t be able to see the template using web-enrollment and won’t be able to use the certificate template for OS’s pre-VISTA. So stick to the default setting in the case and click OK. If the CA is Windows Server 2003 or earlier you won’t get this window.
The Properties window for this new certificate template will be opened. First thing you’ll need to do is give a name to the template that in meaning full for future usage, something like OpsMgr Certificate Template. Because you need to export the certificate later on you need the select the Allow private key to exported which can be found under the  Request Handling tab. In the Subject Name tab you need to change the setting to  Supply in the request.
To be able to enroll the certificate via web-enrollment go to the Security tab and change settings for Authenticated Users by checking the boxes for Enroll and Autoenroll. Offcourse this depends on the security that is required for your organization.
The next tab to check is the Extensions tab. If you used the Computer certificate template like indicated in the beginning of this blog it should be ok, but to make sure that your certificates will be useful by the OpsMgr agents later on check if the Application Policies have the Client Authentication and Server Authentication in them like shown in the picture below. If there not in there the certificates that you’ll create from this template cannot be used for Operations Manager. Well, they can be used but they won’t work … :p


If these settings have been selected click OK and the certificate is created. Open the certificate template to settings again before publishing the template. Before you can use the certificate in web-enrollment you need to publish it. Close the Certificate Templates Console and go back to the Certification Authority console, right click on the Certificate Templates, go to New and select Certificate Template to Issue. A new window will open where you can select the certificate template that you have just created, click OK to confirm and that’s it. You should now be able to request OpsMgr certificates via web-enrollment. If the certificate template is not yet available you might want the force a GPO update or give it some more time, the certificate template is probably not replicated yet. I’ve seen it take some time even when the CA role is installed on the same box as the DC.

All that is left to do now is connect to the CA web-enrollment site from your RMS and request your certificate, move it from the “user private store” to the “computer private store”, then export the certificate to a CER-format certificate and then import it using the MOMCertImport.exe which can be found on the installation media and bounce the Health service.
You’ll need to do these last steps on all of the servers that you’ll monitoring in the DMZ as well.

  1. Mobs Hoods says:

    great post .. and very helpful. was able to fix my issue. greatly appreciating ur efforts

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s